Information Security Management ResourceKit

A Public Service of SecureTheVillage

stan

Information Security Manager

The Information Security Manager [ISM] is the organization’s most-senior level person with management and leadership responsibility for information security. The ISM may also be called the Chief Information Security Officer, CISO.

In mid-size and smaller organizations, the Information Security Management position is often not a full-time position. Thus the ISM will have other responsibilities, such as CFO, Chief Operations Officer, Managing Partner, Chief Legal Officer, Chief Risk Officer, or other.

The Information Security Manager is

  • Appointed by the organization’s Chief Executive with the responsibility, accountability and authority for information security management and the leadership responsibility for evolving a cyber-adaptive culture.
  • Leads the Information Security Management & Leadership Team to manage the organization’s information risk
  • Works with the organization’s attorneys and others to manage the organization’s operational compliance with applicable information security laws, regulations and contractual requirements
  • Works with IT to ensure security of the IT infrastructureis managed in accordance with documented security standards, such as SecureTheVillage’s Code of Basic IT Security Management Practices.
  • Works with HR and other managers to SecureTheHuman

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Third-Party Security Management Basic Requirements

The Information Security Manager (ISM) is to manage the information security risk associated with the sharing of sensitive information with third-parties by

  1. Maintaining a documented plan for managing 3rd-party risk
  2. Providing third-parties with information security requirements, including applicable legal and contractual requirements
  3. Gaining contractual assurance from third-parties that they commit to following information security requirements
  4. Providing guidance to third-parties for compliance, as requested

The ISM is to maintain, at a minimum, a complete list of 3rd-parties with whom protected information is shared with the following information for each 3rd-party on the list:

  • 3rd-Party Name
  • Point of Contact and contact information
  • Kinds of information shared
  • Date on which 3rd-party was sent requirements
  • Date on which contractual assurance was received

 

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Security Classifications

Security Classifications

Information Owners determine the sensitivity of the information they “own.” In doing so, they follow a “standard” language that helps ensure that everyone will know how to protect the information they use in performing their professional duties.

Many organizations classify information into three categories:

  • Public Information
  • Internal Use Only Information
  • Restricted Information

Public Information

This information has been specifically designated by its Owner as intended for Public release. Unauthorized disclosure of this information is not expected to cause problems for the organization or it’s community. There are no restrictions on access to or dissemination of Public information.

Examples of Public information: websites, newsletters, brochures, and marketing materials.

Internal Use Only Information

This information is intended for use within an organization, and in some cases within affiliated organizations, such as customers or vendors. There is no need or reason for disclosing this information to those outside the organization although the damage from this happening is likely minimal.

Examples of Internal Use Only: The Employee Manual, forms and templates, training materials, organizational policies, and personnel phone extension lists.

All Users are authorized access to Internal Use Only information.

Restricted Information

This information is private or otherwise sensitive in nature and is to be restricted to those with a legitimate need for access, a need-to-know. Unauthorized disclosure of this information to people without an explicit need for access may be against laws and regulations, may cause significant problems for the organization or may even cause grave damage to the organization.

Examples of Restricted Information: Client and staff personally identifiable information (PII), electronic protected health information (ePHI), client credit card numbers, client personal information, staff social security numbers, staff bank account numbers, staff salary data.

Access to restricted information is limited to only personnel or others, including vendors, whose task requires such access. The Information Owner determines specific access privileges to restricted information. Access to restricted information is based on a strict need-to-know.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Insurance Considerations in Hiring an IT Organization

Certificate of Insurance

Ask the organization to provide a certificate of insurance naming the above entities as Additional Insureds on behalf of the above entities per written contract. A blanket additional insured endorsement is acceptable with language such as: “only where this form is specifically requested by an executed contract” and must be accompanied by an approved contract. Otherwise, please provide endorsement(s) evidencing additional insured status with the certificate for products and completed operations and ongoing operations (CG 2010, CG 20 37, CG 20 33 or equivalent). All names must be listed on the endorsement as additional insureds. Insurance companies must be an A Rated VIII Carrier or better.

Required minimum limits of no less than

General Liability         $1,000,000     Per Occurrence incl. Products and Completed operations

$2,000,000     Per Aggregate

Auto Liability              $1,000,000     Combined Single Limit

Umbrella Liability       $1,000,000     Per Occurrence

$1,000,000     Per Aggregate

Policy endorsement naming the entities listed above as primary and non-contributory and waiver of subrogation is recommended.

Cross liability exclusion will be amended for claims brought by the above entities as additional insured if needed.

Workers Compensation

Certificate of insurance evidencing proof of workers compensation with limits not less than:

Workers Compensation                      $1,000,000      Per Accident\Disease\Aggregate

Endorsement providing waiver of subrogation is on workers compensation may be considered.

Professional Liability

Professional Liability covering the full scope of services and activities performed by the IT company.

Technology Errors & Omissions    $1,000,000     Per Occurrence

$2,000,000     Aggregate

Other Requirements

Coverage considerations including but not limited to the following should be required:

  1. Acts, errors, or omissions arising out of professional services or products.
  2. Network Security Liability.
  3. Privacy Liability.
  4. Third party notifications costs.
  5. Media Liability as required.

 

Contributed by 
Howard A. Miller, CRM, CIC
Vice President, LBW Insurance | Financial Services
SecureTheVillage Board of Directors
SecureTheVillage Leadership Council
© Copyright 2017. Howard Miller, CRM, CIC. All Rights Reserved.